Analysis Overview
SHA256
e3ff0de76a44978ebd02b890f66be6f3f4320c99f8b443de1877d4e16a4a5443
Threat Level: Likely malicious
The file goodbyedpi-0.2.3rc1-2.zip was found to be: Likely malicious.
Malicious Activity Summary
Download via BitsAdmin
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: LoadsDriver
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-02 22:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240704-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240708-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2380 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
130s
Max time network
134s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert32.sys
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240705-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240705-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2096 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2096 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2096 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253
Network
Files
memory/2528-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2528-0-0x000000013F890000-0x000000013F8B0000-memory.dmp
memory/2528-2-0x000000013F890000-0x000000013F8B0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4520 wrote to memory of 1392 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 4520 wrote to memory of 1392 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3980,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/1392-0-0x00007FF6E28A0000-0x00007FF6E28C0000-memory.dmp
memory/1392-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/1392-4-0x00007FF6E28A0000-0x00007FF6E28C0000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
92s
Max time network
123s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1328 wrote to memory of 3152 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 1328 wrote to memory of 3152 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3152-0-0x00007FF7D81B0000-0x00007FF7D81D0000-memory.dmp
memory/3152-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/3152-2-0x00007FF7D81B0000-0x00007FF7D81D0000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
77s
Max time network
125s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3540 wrote to memory of 1176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3540 wrote to memory of 1176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3540 wrote to memory of 1176 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240704-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
Network
Files
memory/2388-0-0x000000013F930000-0x000000013F950000-memory.dmp
memory/2388-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2388-2-0x000000013F930000-0x000000013F950000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240704-en
Max time kernel
22s
Max time network
19s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 2196 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2364 wrote to memory of 2196 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2364 wrote to memory of 2196 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
Files
memory/2196-0-0x000000013F510000-0x000000013F530000-memory.dmp
memory/2196-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2196-4-0x000000013F510000-0x000000013F530000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240705-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"
Network
Files
memory/3024-0-0x000000003F540000-0x000000003F55F000-memory.dmp
memory/3024-1-0x0000000063D40000-0x0000000063D4F000-memory.dmp
memory/3024-2-0x000000003F540000-0x000000003F55F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240704-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3024 wrote to memory of 2888 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
| PID 3024 wrote to memory of 2888 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
| PID 3024 wrote to memory of 2888 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | p.thenewone.lol | udp |
| LV | 195.123.208.131:443 | p.thenewone.lol | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:07
Platform
win10v2004-20240802-en
Max time kernel
208s
Max time network
210s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc9bcbcc40,0x7ffc9bcbcc4c,0x7ffc9bcbcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,15187740476726565405,1649648408874317000,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,15187740476726565405,1649648408874317000,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2084 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2320,i,15187740476726565405,1649648408874317000,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2332 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,15187740476726565405,1649648408874317000,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,15187740476726565405,1649648408874317000,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3700,i,15187740476726565405,1649648408874317000,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4556 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,15187740476726565405,1649648408874317000,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4932 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,15187740476726565405,1649648408874317000,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4932,i,15187740476726565405,1649648408874317000,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.27.105:443 | www.google.com | tcp |
| NL | 142.250.27.105:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 94.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.250.102.138:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 138.102.250.142.in-addr.arpa | udp |
| NL | 142.250.102.138:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | 94.102.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
memory/4720-0-0x00007FF7C10E0000-0x00007FF7C1100000-memory.dmp
memory/4720-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/4720-2-0x00007FF7C10E0000-0x00007FF7C1100000-memory.dmp
\??\pipe\crashpad_2512_TQFBSAYNMQRETJQR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e2b2c145118b9c50d2d446130b0fdd4a |
| SHA1 | 4d38b816f79109f7cebadd780d1ad85c5ff234b6 |
| SHA256 | e9a56fe909ab9ae0d81095d1714d801eb431b66a0ffdf19e7693883824f15270 |
| SHA512 | 758263f56b309ff4e792096957733d1b91a9296fd974719f8907a36614d0be84a071c8f0dff839e0dad8fce92ca762ae11dca45569b08f435fcff142b2a16172 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e089a6ce-149c-434b-8f20-9002785ff014.tmp
| MD5 | 41e9abd1ab23adf47d8b7faedf89103b |
| SHA1 | f9d850a500d1c41cbfc0d13619ed0f2e14e3797e |
| SHA256 | 42c0b13a555d6a0b4dc947876436d35e9f6c390af2541a3e41960974fb89a51f |
| SHA512 | 6b8e42efe2ed60b4cc46a2d281d743ec298fc6ea5cb917b0bb78ef95d6b7766cbbf24c7072951b420daa815f607621394382767f9bfb9691115fec158b439839 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | bd837c3ce4c0a6d424e7ba96b96d6eed |
| SHA1 | 18007fcc5a8053cc65838280484b658b271b0797 |
| SHA256 | e354d3ff9cbb4f62e3570246f803472e89c143340b490ff1c8007e0827d7ca1a |
| SHA512 | deca7f8b5e6ac1cb8b10e3e082e3ddc67b628c410257a79a0ad4f1fe0471b13a12a22d5642af971b435a88751a2650a1aa837a139fe5ba74bc2ac68ba9d02231 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
| MD5 | 3e552d017d45f8fd93b94cfc86f842f2 |
| SHA1 | dbeebe83854328e2575ff67259e3fb6704b17a47 |
| SHA256 | 27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6 |
| SHA512 | e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 546d20d1c9fc7aa1121b91f9df02a108 |
| SHA1 | 3b4a8a564d72cd9fdc715c9c9c4b5a80f3b43e82 |
| SHA256 | 25d5687bdc3acd6d422b9e5a10e2022dd10e26c9d44a4b50630e71cd190e396f |
| SHA512 | 63fc31bf07c8060ec41595974f6f86975f4a3d9242bd24ea90e09e4c7880244df608c32cabe422670f93229a20d430132a6ad8d87a706018983155a2836cf741 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 299b9f96575edef7175dc465d2593c1b |
| SHA1 | 3a0698d5bbf1d8b988c5629a72382ba09259e515 |
| SHA256 | 2ab2f1a08420e850e3b313ac5b6b150f0cd42f03beae803ab8c6314414eda6cb |
| SHA512 | 07d872769218749c1ba9924bc00397bc89661e3947a5fc6f859d34c0ae00eaf6ae2e8746e41044b5d4dfe643d8f0ede9c3df452d31b768a52e343440fe947efe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 23156ee3e0dbdf2150c912ef41dc4272 |
| SHA1 | b3364dee15261f421b35ad2ba84fd4bbd8e5ab18 |
| SHA256 | 7fd53342540633db9e83d387190786dbbedbb85e5d711f022b3b812f5c0f2f54 |
| SHA512 | 623cd20afc4eead37474229dafc57663b5e0d2b93925b715452c2953ed9aa47271e3b92de35b628e7dbe4380c6b2702ef164fdd85e6d82fee8c54c7276be93c0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 87914276047d9bcf7b8de331fd70d9be |
| SHA1 | 18e32c29a2f60035d2519e6231da07e92a68d183 |
| SHA256 | 0b5acad091f16e232855cc3ab828883b727b8e4d44ba52fa2a50a0ebb2fb3d0f |
| SHA512 | 7d493397d7acebb2b01e74628d8991bc51e490a011d2fc6edf73321e831567d9548356a6e869c2419a326b8f478f26dc51514e6824a89100031a002542db5fd4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | de5ff7a1ac9f65522471f6f4d3305a51 |
| SHA1 | 68400a0a82066bfb457ee66b06194e45327b4ddf |
| SHA256 | 1d1b90837bed976fd13af4cfe9274fc9edc848943f3e736999fe4c77cc48cd7f |
| SHA512 | 0dec128a5137fc15f4323ce01814035b020fe91c23cc47a09484109899aea5469b3ce52f2847aae721ae7520a2659ccf1f3bc0264373dec1a4fe662912af7ecd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | 598a3444e3a701e6ca0799dd9bc7027c |
| SHA1 | 79f2f25ee46287035a19dd492777c3c086aca333 |
| SHA256 | 04c6ede0797dca84fc27f4058ecc6229410ce72084b5f64846f99f4cb2a01306 |
| SHA512 | f67fb3751fb494a6ebd05394b1f1b1f4d736f0a7c6ff07d6e87ccaae73dd96f90058b7c3209ea76bccc2d625b587219578b2cb7a93033bf22122dfd080157aba |
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240729-en
Max time kernel
14s
Max time network
18s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_remove.cmd"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
81s
Max time network
122s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 468 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
| PID 1288 wrote to memory of 468 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\0_russia_update_blacklist_file.cmd"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer blacklist https://p.thenewone.lol/domains-export.txt "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\russia-blacklist.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | p.thenewone.lol | udp |
| LV | 195.123.208.131:443 | p.thenewone.lol | tcp |
| US | 8.8.8.8:53 | 131.208.123.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_remove.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
98s
Max time network
127s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\goodbyedpi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4576-0-0x000000003F1F0000-0x000000003F20F000-memory.dmp
memory/4576-1-0x0000000063D40000-0x0000000063D4F000-memory.dmp
memory/4576-2-0x000000003F1F0000-0x000000003F20F000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
98s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
124s
Max time network
128s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4888 wrote to memory of 3060 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 4888 wrote to memory of 3060 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country_dnsredir.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --dns-addr 77.88.8.8 --dns-port 1253 --dnsv6-addr 2a02:6b8::feed:0ff --dnsv6-port 1253
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4092,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
memory/3060-0-0x00007FF756A50000-0x00007FF756A70000-memory.dmp
memory/3060-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/3060-2-0x00007FF756A50000-0x00007FF756A70000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86\WinDivert64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240729-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2072 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2072 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2072 wrote to memory of 2528 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\2_any_country.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9
Network
Files
memory/2528-0-0x000000013F7E0000-0x000000013F800000-memory.dmp
memory/2528-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2528-2-0x000000013F7E0000-0x000000013F800000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240704-en
Max time kernel
13s
Max time network
20s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\service_install_russia_blacklist_dnsredir.cmd"
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
95s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\WinDivert64.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win10v2004-20240802-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
"C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4400-0-0x00007FF731B20000-0x00007FF731B40000-memory.dmp
memory/4400-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/4400-2-0x00007FF731B20000-0x00007FF731B40000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-02 22:04
Reported
2024-08-02 22:06
Platform
win7-20240704-en
Max time kernel
22s
Max time network
21s
Command Line
Signatures
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2556 wrote to memory of 2728 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2556 wrote to memory of 2728 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
| PID 2556 wrote to memory of 2728 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\1_russia_blacklist.cmd"
C:\Users\Admin\AppData\Local\Temp\goodbyedpi-0.2.3rc1\x86_64\goodbyedpi.exe
goodbyedpi.exe -9 --blacklist ..\russia-blacklist.txt --blacklist ..\russia-youtube.txt
Network
Files
memory/2728-0-0x000000013FAA0000-0x000000013FAC0000-memory.dmp
memory/2728-1-0x0000000062800000-0x0000000062813000-memory.dmp
memory/2728-4-0x000000013FAA0000-0x000000013FAC0000-memory.dmp